Configure Akamai with Azure Active Directory B2C

In this sample article, learn how to enable Akamai Web Application Firewall (WAF) solution for Azure Active Directory B2C (Azure AD B2C) tenant using custom domains. Akamai WAF helps organization protect their web applications from malicious attacks that aim to exploit vulnerabilities such as SQL injection and Cross site scripting.

Note

This feature is in public preview.

Benefits of using Akamai WAF solution:

• An edge platform that allows traffic management to your services.

• Can be configured in front of your Azure AD B2C tenant.

• Allows fine grained manipulation of traffic to protect and secure your identity infrastructure.

This article applies to both Web Application Protector (WAP) and Kona Site Defender (KSD) WAF solutions that Akamai offers.

Prerequisites

To get started, you'll need:

• An Azure subscription. If you don't have a subscription, you can get a free account.

• An Azure AD B2C tenant that is linked to your Azure subscription.

• An Akamai WAF account.

Scenario description

Akamai WAF integration includes the following components:

• Azure AD B2C Tenant – The authorization server, responsible for verifying the user’s credentials using the custom policies defined in the tenant. It's also known as the identity provider.

• Azure Front Door – Responsible for enabling custom domains for Azure B2C tenant. All traffic from Akamai WAF will be routed to Azure Front Door before arriving at Azure AD B2C tenant.

• Akamai WAF – The web application firewall, which manages all traffic that is sent to the authorization server.

Integrate with Azure AD B2C

1. To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by Azure Front Door. Learn how to enable Azure AD B2C custom domains.

2. After custom domain for Azure AD B2C is successfully configured using Azure Front Door, test the custom domain before proceeding further.

Onboard with Akamai

Sign-up and create an Akamai account.

Create and configure property

1. Create a new property.

2. Configure the property settings as:

   Property	Value
   Property version	Select Standard or Enhanced TLS (preferred)
   Property hostnames	Add a property hostname. This is the name of your custom domain, for example, login.domain.com. Create or modify a certificate with the appropriate settings for the custom domain name. Learn more about creating a certificate.

3. Set the origin server property configuration settings as:

   Property	Value
   Origin type	Your origin
   Origin server hostname	yourafddomain.azurefd.net
   Forward host header	Incoming Host Header
   Cache key hostname	Incoming Host Header

Configure DNS

Create a CNAME record in your DNS such as login.domain.com that points to the Edge hostname in the Property hostname field.

Configure Akamai WAF

1. Configure Akamai WAF.

2. Ensure that Rule Actions for all items listed under the Attack Group are set to Deny.

   

Learn more about how the control works and configuration options.

Test the settings

Check the following to ensure all traffic to Azure AD B2C is going through the custom domain:

• Make sure all incoming requests to Azure AD B2C custom domain are routed via Akamai WAF and using valid TLS connection.
• Ensure all cookies are set correctly by Azure AD B2C for the custom domain.
• The Akamai WAF dashboard available under Defender for Cloud console display charts for all traffic that pass through the WAF along with any attack traffic.

Next steps

• Configure a custom domain in Azure AD B2C

• Get started with custom policies in Azure AD B2C